https://community.splunk.com/t5/Splunk-Search/What-is-the-eval-command-doing-in-this-search/m-p/248778#M74298 <P>That's because in the first case, there's an <CODE>eval()</CODE> function to evaluate the <CODE>if()</CODE> expression, while in the second case there isn't.</P> <P><CODE>eval(if(method="GET", 0, 1))</CODE> evaluates to 0 if the method is GET, to 1 otherwise.</P> Mon, 28 Nov 2016 19:24:05 GMT martin_mueller 2016-11-28T19:24:05Z https://community.splunk.com/t5/Splunk-Search/What-is-the-eval-command-doing-in-this-search/m-p/248769#M74289 <P>We use eval command to create new field, and we used this as function ex: <CODE>|stats count(eval(method="GET")) as get</CODE>. Can someone explain this example clearly? What is <CODE>eval</CODE> doing here?</P> Sun, 27 Nov 2016 09:37:53 GMT https://community.splunk.com/t5/Splunk-Search/What-is-the-eval-command-doing-in-this-search/m-p/248769#M74289 nagarjuna280 2016-11-27T09:37:53Z https://community.splunk.com/t5/Splunk-Search/What-is-the-eval-command-doing-in-this-search/m-p/248770#M74290 <P><CODE>count(eval())</CODE> is testing the boolean expression inside the <CODE>eval()</CODE> and only counting those events that yield true, ie those with <CODE>method="GET"</CODE>.</P> Sun, 27 Nov 2016 10:37:21 GMT https://community.splunk.com/t5/Splunk-Search/What-is-the-eval-command-doing-in-this-search/m-p/248770#M74290 martin_mueller 2016-11-27T10:37:21Z https://community.splunk.com/t5/Splunk-Search/What-is-the-eval-command-doing-in-this-search/m-p/248771#M74291 <P>The manual explains it at <A href="http://docs.splunk.com/Documentation/Splunk/6.5.1/Search/Usestatswithevalexpressionsandfunctions">Use stats with eval expressions and functions</A></P> <P>One example there is - </P> <PRE><CODE>status=404 | stats dc(eval(if(status=404, ip, NULL))) AS dc_ip </CODE></PRE> <P>your <CODE>method="GET"</CODE> is a shortcut for the <CODE>if(method="GET",1,0)</CODE> command. </P> Sun, 27 Nov 2016 23:01:57 GMT https://community.splunk.com/t5/Splunk-Search/What-is-the-eval-command-doing-in-this-search/m-p/248771#M74291 ddrillic 2016-11-27T23:01:57Z https://community.splunk.com/t5/Splunk-Search/What-is-the-eval-command-doing-in-this-search/m-p/248772#M74292 <P>|eval newitem=if(status=404, ip, null) <BR /> it returns "ip"<BR /> then we can use | stats dc(newItem).</P> <P>what does eval do after returning an argument (ip). like |stats dc(eval(ip))</P> <P>meaning of eval(ip) ?</P> Mon, 28 Nov 2016 18:14:12 GMT https://community.splunk.com/t5/Splunk-Search/What-is-the-eval-command-doing-in-this-search/m-p/248772#M74292 nagarjuna280 2016-11-28T18:14:12Z https://community.splunk.com/t5/Splunk-Search/What-is-the-eval-command-doing-in-this-search/m-p/248773#M74293 <P><CODE>| stats dc(eval(ip))</CODE> is the same as <CODE>| stats dc(ip)</CODE>.</P> Mon, 28 Nov 2016 18:18:30 GMT https://community.splunk.com/t5/Splunk-Search/What-is-the-eval-command-doing-in-this-search/m-p/248773#M74293 martin_mueller 2016-11-28T18:18:30Z https://community.splunk.com/t5/Splunk-Search/What-is-the-eval-command-doing-in-this-search/m-p/248774#M74294 <P>what does eval(ip) return?</P> Mon, 28 Nov 2016 18:29:29 GMT https://community.splunk.com/t5/Splunk-Search/What-is-the-eval-command-doing-in-this-search/m-p/248774#M74294 nagarjuna280 2016-11-28T18:29:29Z https://community.splunk.com/t5/Splunk-Search/What-is-the-eval-command-doing-in-this-search/m-p/248775#M74295 <P><CODE>eval(ip)</CODE> evaluates the expression <CODE>ip</CODE>, so it returns <CODE>ip</CODE>.</P> Mon, 28 Nov 2016 18:37:31 GMT https://community.splunk.com/t5/Splunk-Search/What-is-the-eval-command-doing-in-this-search/m-p/248775#M74295 martin_mueller 2016-11-28T18:37:31Z https://community.splunk.com/t5/Splunk-Search/What-is-the-eval-command-doing-in-this-search/m-p/248776#M74296 <P>as you said "| stats dc(eval(ip)) is the same as | stats dc(ip)"</P> <P>if(method="GET", 0 ,1) return 0 or 1</P> <P>then dc(eval(0)) should be same as dc (0)</P> <P>sourcetype=access_combined* |stats dc(eval(if(method="GET", 0 ,1))) as dc_method </P> <P>should be same as sourcetype=access_combined* |stats dc(if(method="GET", 0 ,1)) as dc_method</P> <P>but not showing 0 results (last one)</P> Tue, 29 Sep 2020 11:56:41 GMT https://community.splunk.com/t5/Splunk-Search/What-is-the-eval-command-doing-in-this-search/m-p/248776#M74296 nagarjuna280 2020-09-29T11:56:41Z https://community.splunk.com/t5/Splunk-Search/What-is-the-eval-command-doing-in-this-search/m-p/248777#M74297 <P>as you said "| stats dc(eval(ip)) is the same as | stats dc(ip)"</P> <P>if(method="GET", 0 ,1) return 0 or 1</P> <P>then dc(eval(0)) should be same as dc (0)</P> <P>sourcetype=access_combined* |stats dc(eval(if(method="GET", 0 ,1))) as dc_method</P> <P>giving 2 as count</P> <P>should be same as sourcetype=access_combined* |stats dc(if(method="GET", 0 ,1)) as dc_method</P> <P>0 as count<BR /> but showing 0 results (last one)</P> Tue, 29 Sep 2020 11:56:31 GMT https://community.splunk.com/t5/Splunk-Search/What-is-the-eval-command-doing-in-this-search/m-p/248777#M74297 nagarjuna280 2020-09-29T11:56:31Z https://community.splunk.com/t5/Splunk-Search/What-is-the-eval-command-doing-in-this-search/m-p/248778#M74298 <P>That's because in the first case, there's an <CODE>eval()</CODE> function to evaluate the <CODE>if()</CODE> expression, while in the second case there isn't.</P> <P><CODE>eval(if(method="GET", 0, 1))</CODE> evaluates to 0 if the method is GET, to 1 otherwise.</P> Mon, 28 Nov 2016 19:24:05 GMT https://community.splunk.com/t5/Splunk-Search/What-is-the-eval-command-doing-in-this-search/m-p/248778#M74298 martin_mueller 2016-11-28T19:24:05Z